Security researcher Amir Etemadieh (@Zenofex) has released a pre-authentication zero-day remote command execution (RCE) exploit in vBulletin on 9th August 2020. This exploit bypasses the patch for a previous RCE in vBulletin 5.0 through 5.4 and has since been assigned CVE-2019-16759.
This information was published on blog.exploitee.rs explaining how the patch for the previous vulnerability works, and why it is insufficient. A simple HTTP POST request can be used to execute commands remotely on the targeted vBulletin host without authentication. This may allow an attacker to steal or tamper with data or even launch assaults on other systems depending on the level of credentials.
Notable vBulletin customers that could be effected include; Denver Broncos, Pearl Jam, EA, Steam and even NASA. Many dark web forums also often run on vBulletin.
Some good news is that the researcher also included some configuration changes which they state can be used to mitigate the vulnerability.
And more good news is that AppCheck has already released a plug-in for this specific vulnerability so your standard scans will now be picking up this vulnerability.
As always, if you require any more information on this topic or want to see what vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: firstname.lastname@example.org
No software to download or install.
Contact us or call us 0113 887 8380